Code-Based Cryptography - Key Attacks...Code-Based Cryptography 1.Error-Correcting Codes and Cryptography 2.McEliece Cryptosystem 3.Message Attacks (ISD) 4. Key Attacks 5.Other Cryptographic

Code-Based CryptographyKey Attacks

0I. Márquez-Corbella

Code-Based Cryptography

1. Error-Correcting Codes and Cryptography2. McEliece Cryptosystem3. Message Attacks (ISD)4. Key Attacks5. Other Cryptographic Constructions Relying on Coding Theory

I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY

4. Key Attacks

1. Introduction2. Support Splitting Algorithm3. Distinguisher for GRS codes4. Attack against subcodes of GRS codes5. Error-Correcting Pairs6. Attack against GRS codes7. Attack against Reed-Muller codes8. Attack against Algebraic Geometry codes9. Goppa codes still resist

I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY

The McEliece CryptosystemConsider

(F

)family of codes

with an efficientdecoding algorithm

Indistinguishablefrom random codes

Key Generation Algorithm:

1. G ∈ Fk×nq a generator matrix for C ∈ F

2. AC an “Efficient” decoding algorithm for C which corrects up to t errors.

Public Key: Kpub = (G, t)Private Key: Ksecret = (AC)

Parameters Key size Security level[1024,524,101]2 67 ko 262

[2048,1608,48]2 412 ko 296

1

The McEliece CryptosystemConsider

(F

)family of codes

with an efficientdecoding algorithm

Indistinguishablefrom random codes

Key Generation Algorithm:

1. G ∈ Fk×nq a generator matrix for C ∈ F

2. AC an “Efficient” decoding algorithm for C which corrects up to t errors.

Public Key: Kpub = (G, t)Private Key: Ksecret = (AC)

Parameters Key size Security level[1024,524,101]2 67 ko 262

[2048,1608,48]2 412 ko 296

1

The McEliece CryptosystemConsider

(F

)family of codes

with an efficientdecoding algorithm

Indistinguishablefrom random codes

Key Generation Algorithm:

1. G ∈ Fk×nq a generator matrix for C ∈ F

2. AC an “Efficient” decoding algorithm for C which corrects up to t errors.

Public Key: Kpub = (G, t)Private Key: Ksecret = (AC)

Parameters Key size Security level[1024,524,101]2 67 ko 262

[2048,1608,48]2 412 ko 296

1

The McEliece CryptosystemConsider

(F

)family of codes

with an efficientdecoding algorithm

Indistinguishablefrom random codes

Key Generation Algorithm:

1. G ∈ Fk×nq a generator matrix for C ∈ F

2. AC an “Efficient” decoding algorithm for C which corrects up to t errors.

Public Key: Kpub = (G, t)Private Key: Ksecret = (AC)

Parameters Key size Security level[1024,524,101]2 67 ko 262

[2048,1608,48]2 412 ko 296

1

The McEliece CryptosystemConsider

(F

)family of codes

with an efficientdecoding algorithm

Indistinguishablefrom random codes

Key Generation Algorithm:

1. G ∈ Fk×nq a generator matrix for C ∈ F

2. AC an “Efficient” decoding algorithm for C which corrects up to t errors.

Public Key: Kpub = (G, t)Private Key: Ksecret = (AC)

Parameters Key size Security level[1024,524,101]2 67 ko 262

[2048,1608,48]2 412 ko 296

1

The McEliece CryptosystemEncryption Algorithm:Encrypt a message m ∈ Fk

q as

ENCRYPT(m) = mG + e = y

where e is a random error vector of weight at most t .

Decryption Algorithm:Using Ksecret , the receiver obtain m.

DECRYPT(y) = AC(y) = m

2

The McEliece CryptosystemEncryption Algorithm:Encrypt a message m ∈ Fk

q as

ENCRYPT(m) = mG + e = y

where e is a random error vector of weight at most t .

Decryption Algorithm:Using Ksecret , the receiver obtain m.

DECRYPT(y) = AC(y) = m

2

Which code Family? - GRS codes

â Generalized Reed-Solomon codesH. Niederreiter.Knapsack-type cryptosystems and algebraic coding theory.Problems of Control and Information Theory, 15(2):159−166, 1986.

Parameters Key size Security level[256,128,129]256 67 ko 295

7Attack against this proposal:V. M. Sidelnikov and S. O. Shestakov.On the insecurity of cryptosystems based on generalized Reed-Solomon codes.Discrete Math. Appl., 2:439−444, 1992.

3

Which code Family? - GRS codes

â Generalized Reed-Solomon codesH. Niederreiter.Knapsack-type cryptosystems and algebraic coding theory.Problems of Control and Information Theory, 15(2):159−166, 1986.

Parameters Key size Security level[256,128,129]256 67 ko 295

7Attack against this proposal:V. M. Sidelnikov and S. O. Shestakov.On the insecurity of cryptosystems based on generalized Reed-Solomon codes.Discrete Math. Appl., 2:439−444, 1992.

3

Which code Family? - Subcodes of GRS codes

â Subcodes of GRS codesT. Berger and P. Loidreau.How to mask the structure of codes for a cryptographic use.Des. Codes Cryptogr., 35:63−79, 2005.

7Attack against this proposal:C. Wieschebrink.Cryptanalysis of the Niederreiter public key scheme based on GRS subcodes.In Post-Quantum Cryptography, volume 6061 of Lecture Notes in Comput. Sci., pages 61−72, 2010.

4

Which code Family? - Subcodes of GRS codes

â Subcodes of GRS codesT. Berger and P. Loidreau.How to mask the structure of codes for a cryptographic use.Des. Codes Cryptogr., 35:63−79, 2005.

7Attack against this proposal:C. Wieschebrink.Cryptanalysis of the Niederreiter public key scheme based on GRS subcodes.In Post-Quantum Cryptography, volume 6061 of Lecture Notes in Comput. Sci., pages 61−72, 2010.

4

Which code Family? - Reed-Muller codesâ Reed-Muller codes

V. Sidelnikov.A public-key cryptosytem based on Reed-Muller codes.Discrete Math. Appl., 4(3):191−207, 1994.

Parameters Key size Security level[1024,176,128]2 22.5 ko 272

[2048,232,256]2 59,4 ko 293

7Attacks against this proposal:L. Minder and A. Shokrollahi.Cryptanalysis of the Sidelnikov cryptosystem.In EUROCRYPT 2007, pages 347−360, 2007.

I. V. Chizhov, and M. A. Borodin.The failure of McEliece PKC based on Reed-Muller codes.IACR Cryptology ePrint Archive, 287, 2013.

5

Which code Family? - Reed-Muller codesâ Reed-Muller codes

V. Sidelnikov.A public-key cryptosytem based on Reed-Muller codes.Discrete Math. Appl., 4(3):191−207, 1994.

Parameters Key size Security level[1024,176,128]2 22.5 ko 272

[2048,232,256]2 59,4 ko 293

7Attacks against this proposal:L. Minder and A. Shokrollahi.Cryptanalysis of the Sidelnikov cryptosystem.In EUROCRYPT 2007, pages 347−360, 2007.

I. V. Chizhov, and M. A. Borodin.The failure of McEliece PKC based on Reed-Muller codes.IACR Cryptology ePrint Archive, 287, 2013.

5

Which code Family? - AG codesâ Algebraic Geometry codes

H. Janwa and O. Moreno.McEliece public crypto system using algebraic-geometric codes.Designs, Codes and Cryptography, 1996.

Parameters Key size Security level[171,109,61]128 16 ko 266

7Attacks against this proposal:C. Faure and L. Minder.Cryptanalysis of the McEliece cryptosystem over hyperelliptic codes.Proceedings 11th Int. Workshop on Algebraic and Combinatorial Coding Theory, 2008.

A. Couvreur, I. Márquez-Corbella and R. Pellikaan.A polynomial time attack against Algebraic Geometry code based Public-Key Cryptosystems.ISIT 2014, 1446−1450, 2014.

6

Which code Family? - AG codesâ Algebraic Geometry codes

H. Janwa and O. Moreno.McEliece public crypto system using algebraic-geometric codes.Designs, Codes and Cryptography, 1996.

Parameters Key size Security level[171,109,61]128 16 ko 266

7Attacks against this proposal:C. Faure and L. Minder.Cryptanalysis of the McEliece cryptosystem over hyperelliptic codes.Proceedings 11th Int. Workshop on Algebraic and Combinatorial Coding Theory, 2008.

A. Couvreur, I. Márquez-Corbella and R. Pellikaan.A polynomial time attack against Algebraic Geometry code based Public-Key Cryptosystems.ISIT 2014, 1446−1450, 2014.

6

Which code Family? - Concatenated codes

â Concatenated codesH. Niederreiter.Knapsack-type cryptosystems and algebraic coding theory.Problems of Control and Information Theory, 15(2):159−166, 1986.

7Attack against this proposal:N. Sendrier.On the concatenated structure of a linear code.AAECC, 9(3):221−242, 1998

7

Which code Family? - Concatenated codes

â Concatenated codesH. Niederreiter.Knapsack-type cryptosystems and algebraic coding theory.Problems of Control and Information Theory, 15(2):159−166, 1986.

7Attack against this proposal:N. Sendrier.On the concatenated structure of a linear code.AAECC, 9(3):221−242, 1998

7

Which code Family? - Convolutional codes

â Convolutional codesC. Löndahl and T. Johansson.A new version of McEliece PKC based on convolutional codes.ICICS, 15(2): 461-470, 2012.

7Attack against this proposal:G. Landais and J.P. TillichAn efficient attack of a McEliece cryptosystem variant based on convolutional codes.Post-Quantum Cryptography, LNCS, vol. 7932, 102-117, 2013.

8

Which code Family? - Convolutional codes

â Convolutional codesC. Löndahl and T. Johansson.A new version of McEliece PKC based on convolutional codes.ICICS, 15(2): 461-470, 2012.

7Attack against this proposal:G. Landais and J.P. TillichAn efficient attack of a McEliece cryptosystem variant based on convolutional codes.Post-Quantum Cryptography, LNCS, vol. 7932, 102-117, 2013.

8

Which code Family? - Binary Goppa codes

â Binary Goppa codesR. J. McEliece.A public-key cryptosystem based on algebraic coding theory.DSN Progress Report, 42-44:114−116, 1978.

Parameters Key size Security level[1024,524,101]2 67 ko 262

[2048,1608,48]2 412 ko 296

4McEliece scheme with Goppa codeshas resisted cryptanalysis so far!

9

Which code Family? - Binary Goppa codes

â Binary Goppa codesR. J. McEliece.A public-key cryptosystem based on algebraic coding theory.DSN Progress Report, 42-44:114−116, 1978.

Parameters Key size Security level[1024,524,101]2 67 ko 262

[2048,1608,48]2 412 ko 296

4McEliece scheme with Goppa codeshas resisted cryptanalysis so far!

9

Subcodesof AG codesSubcodes

of AG codesSubcodes

of GRS codesSubcodes

of GRS codes

Alternantcodes

Goppacodes

AGcodes

AGcodes

GRScodes

GRScodes

Reed Mullercodes

Reed-Mullercodes

Broken

Unbroken

Subcodes of GRSof small dimension

(Unbroken)New results inWild Goppa codes(Broken)

10

Subcodesof AG codesSubcodes

of AG codesSubcodes

of GRS codesSubcodes

of GRS codes

Alternantcodes

Goppacodes

AGcodes

AGcodes

GRScodes

GRScodes

Reed Mullercodes

Reed-Mullercodes

Broken

Unbroken

Subcodes of GRSof small dimension

(Unbroken)New results inWild Goppa codes(Broken)

10

Subcodesof AG codesSubcodes

of AG codes

Subcodesof GRS codes

Subcodesof GRS codes

Alternantcodes

Goppacodes

AGcodes

AGcodes

GRScodes

GRScodes

Reed Mullercodes

Reed-Mullercodes

Broken

Unbroken

Subcodes of GRSof small dimension

(Unbroken)New results inWild Goppa codes(Broken)

10

Subcodesof AG codes

Subcodesof AG codes

Subcodesof GRS codes

Subcodesof GRS codes

Alternantcodes

Goppacodes

AGcodes

AGcodes

GRScodes

GRScodes

Reed Mullercodes

Reed-Mullercodes

Broken

Unbroken

Subcodes of GRSof small dimension

(Unbroken)New results inWild Goppa codes(Broken)

10

Subcodesof AG codes

Subcodesof AG codes

Subcodesof GRS codes

Subcodesof GRS codes

Alternantcodes

Goppacodes

AGcodes

AGcodes

GRScodesGRScodes

Reed Mullercodes

Reed-Mullercodes

Broken

Unbroken

Subcodes of GRSof small dimension

(Unbroken)

New results inWild Goppa codes(Broken)

10

Subcodesof AG codes

Subcodesof AG codes

Subcodesof GRS codes

Subcodesof GRS codes

Alternantcodes

Goppacodes

AGcodes

AGcodes

GRScodesGRScodes

Reed Mullercodes

Reed-Mullercodes

Broken

Unbroken

Subcodes of GRSof small dimension

(Unbroken)New results inWild Goppa codes(Broken)

10

4. Key Attacks

1. Introduction2. Support Splitting Algorithm3. Distinguisher for GRS codes4. Attack against subcodes of GRS codes5. Error-Correcting Pairs6. Attack against GRS codes7. Attack against Reed-Muller codes8. Attack against Algebraic Geometry codes9. Goppa codes still resist

I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY